On Fri, Mar 14, 2008 at 4:59 PM, Eric Lawrence
<ericlaw@exchange.microsoft.com> wrote:
> Maciej Stachowiak [mjs@apple.com] asked, in part:
> > I am also not sure if a DNS rebound cross-domain XHR with
> > POST or some other method can do anything that you can't
> > do with a cross-domain form submission. You can set custom
> > headers, but that seems unlikely to make the difference between
> > safe and unsafe.
>
> It's certainly a possibility. For instance, consider a device which
> accepts SOAP XML as input The designers of the device were wise
> to note that a cross-domain form submission could be made
> (encType = text/plain) that contains XML-formatted content, and thus
> they devised an anti-CSRF mechanism of rejecting requests that do
> not bear a proper SOAPAction header. Such restriction properly blocks
> CSRF via HTML forms, but is put at risk if a cross-domain XHR
> request is able to send arbitrary headers.
The only servers that need worry about DNS rebinding attacks are those
behind firewalls and those that care about the IP address of the
client. These servers already need to defend themselves against DNS
rebinding attacks using the basic same-site XMLHttpRequest
functionality, by checking the Host header or using a DNS firewall
such as dnswall. The addition of cross-site XMLHttpRequest does not
increase the attack surface for the DNS rebinding attacker beyond that
of same-site XMLHttpRequests because same-site XMLHttpRequests can set
headers, including SOAPAction.
The access control specification
<http://dev.w3.org/2006/waf/access-control/> recommends the Host
header checking technique. This technique works because the known
socket-level DNS rebinding vulnerabilities in browsers have been
patched by Adobe and Sun.
Collin Jackson